b"OFFICE OF INSPECTOR GENERAL\n                      Audit Report\nFiscal Year 2010 Evaluation of Information Security at the\n               Railroad Retirement Board\n\n\n\n\n         This abstract summarizes the results of the subject audit. The\n         full report includes information protected from disclosure and\n         has been designated for limited distribution pursuant to\n         5 U.S.C. \xc2\xa7 552\n\n\n\n\n                          Report No. 11-01\n                         November 05, 2010\n\n\n\n\n   RAILROAD RETIREMENT BOARD\n\x0c                                    Report Abstract\n Fiscal Year 2010 Evaluation of Information Security At the Railroad Retirement Board\n\n\nThis abstract summarizes the results of the Office of Inspector General (DIG)\nevaluation of Information Security for the Railroad Retirement Board (RRB) for\nFY 2010.\n\nThe Federal Information Security Management Act of 2002 (FISMA) mandates that\nagencies develop, document and implement an agency wide information security\nprogram. FISMA establishes minimum requirements for the management of\ninformation security.\n\nThe RRB's information system environment consists of three major application\nsystems and one general support system, each of which has been designated as a\nmoderate impact system in accordance with standards and guidance promulgated by\nthe National Institute of Standards and Technology (NIST).\n\nThe RRB has made significant progress in implementing an information security\nprogram that meets the requirements of FISMA; yet a fully effective program has not\nbeen achieved. For example, the RRB has taken action to address their significant\ndeficiency in access controls; but a significant deficiency remains in internal control\nover the certification and accreditation review process of contractor deliverables.\n\nDuring FY 2010, we observed that the RRB's program for ensuring agency servers\ncomply with required configuration settings is not fully effective, and the agency did not\ncomplete external reports of all Category 1 security incidents. Previously identified\nweaknesses in the areas of security plans, information security and privacy training,\nperiodic testing and evaluation, an effective remedial action process, continuity of\noperations, the inventory of systems, risk assessment, and privacy continue to exist.\nAlso, although the agency addressed the significant deficiency in access controls,\nweaknesses in that area still need to be addressed.\n\nThe RRB continues to address open audit recommendations pertaining to their\ninformation security weaknesses.\n\n\n\n\nThe RRB's certification and accreditation program remains ineffective because of a\nsignificant deficiency in the internal control structure over the review of contractor\ndeliverables. We found that actions taken to date would not allow for accurate and\nreliable information consistently among individual reviewing offices over time. As a\nresult, the RRB cannot ensure that the information systems are operating at an\nacceptable level of risk to agency operations, assets, or individuals. Since final\ndocumentation supporting the results of the contractor's work is not expected to be\ncompleted until early FY 2011, we were unable to fully assess this area of the RRB's\ninformation security program.\n\x0c                                   Report Abstract\nFiscal Year 2010 Evaluation of Information Security At the Railroad Retirement Board\n\n\n\n\nThe RRB continues to need improvement in implementing risk-based policies and\nprocedures that are comprehensive and effective in all areas of the agency's\ninformation security and privacy programs. In FY 2010, the agency began conducting\nroutine vulnerability scans, but does not have a procedure to consider all relevant\nfactors when determining which vulnerabilities to remediate. We also observed that\nthe agency was not performing routine scans to ensure compliance with the agency\nwide configuration policy settings. Risk-based policy and procedures serve to secure\nthe agency's information and information systems. Compliance scans for server\nsettings alert the agency where modifications need to be made to ensure a more\nsecure environment.\n\n\n\n\nThe RRB's incident handling and reporting program is generally effective in ensuring\nthe confidentiality, integrity, and availability of the agency's information and information\ntechnology; however, we found that some incidents were not reported externally to the\nUnited States Computer Emergency Readiness Team (US-CERT) as required.\nBecause the RRB misapplied OMB criteria for external breach notification, they failed\nto report incidents of potential PII breaches to US-CERT. As a result, they are not in\nfull compliance with incident handling and reporting requirements.\n\n\nWe have made specific recommendations for corrective actions to address the\nweaknesses identified in our audit. The Bureau of Information Services has agreed to\nimplement our recommendations to improve the information security program at the\nRRB.\n\x0c"